Blogpost

DORA: Knocking On Risk Management’s Door

By David Addison, Sean Wright
November 4, 2024

DORA Compliance

Shared Assessments’ Standardized Information Gathering Questionnaire (SIG) is a valuable tool for achieving DORA (Digital Operational Resilience Act) compliance. The SIG provides a structured framework for assessing third-party risk. Shared Assessments 2025 SIG, to be released later this week, offers robust support of DORA standards through its mappings.

How The Standardized Information Gathering Questionnaire (SIG) Covers DORA

DORA places a strong emphasis on managing risks associated with third-party service providers. By ensuring these third parties meet robust security and resilience standards, organizations can significantly enhance their overall operational resilience.

The 2025 SIG Questionnaire is designed to evaluate various aspects of a third party’s risk profile, including:

  • Cybersecurity: Assessing third party’s security controls and practices.
  • Business Continuity: Evaluating third party’s ability to maintain operations during disruptions.
  • Operational Resilience: Assessing third party’s capacity to withstand and recover from adverse events.

The 2025 SIG Questionnaire devotes a set of questions to DORA compliance across its various scoping levels:

  • SIG Lite: 2 Questions
  • SIG Core: 8 Questions
  • SIG Detail: 47 Questions

The SIG provides a consistent methodology for assessing third-party risks, helping organizations identify and prioritize potential vulnerabilities. By covering a wide range of risk categories, SIG can help organizations identify risks that might not be apparent through other assessment methods. The SIG can be used to gather evidence of third-party compliance with various regulatory requirements, including those outlined in DORA.

By leveraging the forthcoming Shared Assessments 2025 SIG as part of a broader third-party risk management program, organizations can strengthen their third-party risk management practices and make significant progress towards DORA compliance.

What is DORA? 

DORA is an EU regulation that entered into force in January 2023 that will apply as of January 2025. It aims to strengthen the IT security of financial entities such as banks, insurance companies and investment firms. As stated by European Insurance and Occupational Pensions Authority, DORA is meant to make sure “that the financial sector in Europe can stay resilient in the event of a severe operational disruption.”

DORA weaves together rules relating to operational resilience for the financial sector applying to numerous types of financial entities and ICT (Information Technology and Cybersecurity) third-party service providers.

The financial sector is increasingly dependent on technology to deliver its services – and may become even more so with the emerging role of Artificial Intelligence – which makes financial entities vulnerable to cyber-incidents. (Look no further than the 10 Biggest Breaches in Finance to understand that cybercriminals choose their targets based on maximum impact and maximum profit – the financial sector is disproportionately impacted.)

When not managed properly, ICT risks can lead to disruptions of financial services globally. In turn, this would impact other companies, sectors, and even the broader economy, which emphasizes the importance of the digital operational resilience of the financial sector.

6 Key Areas Covered By DORA

With 6 pillars relating to third-party security, DORA covers:

  1. ICT risk management: Principles and requirements on ICT risk management framework
  2. ICT third-party risk management: Monitoring third-party risk providers and key contractual provisions
  3. Digital operational resilience testing: Basic and advanced testing
  4. ICT-related incidents: General requirements and reporting of major ICT-related incidents to competent authorities
  5. Information sharing: Exchange of information and intelligence on cyber threats
  6. Oversight of critical third-party providers: Oversight framework for critical ICT third-party providers

Questions About DORA and the SIG?

As international liaisons for Shared Assessments, we specialize in Risk Management  We would welcome the opportunity to meet with you briefly to discuss how we can help your organization ith DORA compliance using the SIG.

 

Author:

David Addison

Based in London, passionate about working with companies to help minimise third party risk. Considerable experience in global market expansion with leading technology and across a wide range of sectors. David has lived and worked in several countries and been known to do a few marathons and triathlons.

Sean Wright

Based in the UK, working with companies and individuals globally, Sean is part of the International Sales Team for Shared Assessments. A natural partnership and relationship builder, Sean has a strong background in Data Privacy, Business Development....and Rugby!